tessl/maven-org-elasticsearch--elasticsearch-ssl-config
SSL/TLS configuration library for Elasticsearch providing comprehensive security management utilities.
—
Pending
key-management.mddocs/
Key Management
SSL key material management with support for PEM files, keystores, programmatic key configurations, and key manager creation with comprehensive validation and security features.
Capabilities
SSL Key Configuration Interface
Core interface for SSL key material configuration providing key managers and key material access.
/**
* Interface for SSL key material configuration
*/
public interface SslKeyConfig {
/**
* Gets all certificate and key files this configuration depends on
* @return collection of file paths for monitoring changes
*/
Collection<Path> getDependentFiles();
/**
* Creates a key manager from this key configuration
* @return configured X509ExtendedKeyManager for SSL contexts
* @throws SslConfigException if key manager creation fails
*/
X509ExtendedKeyManager createKeyManager();
/**
* Gets all private keys and their associated certificates
* @return list of private key and certificate tuples
*/
List<Tuple<PrivateKey, X509Certificate>> getKeys();
/**
* Gets all configured certificates with metadata
* @return collection of stored certificates
*/
Collection<StoredCertificate> getConfiguredCertificates();
/**
* Checks if this configuration contains any key material
* @return true if key material is available
*/
default boolean hasKeyMaterial();
/**
* Converts this key configuration to a trust configuration
* @return SslTrustConfig using the certificates from this key config
*/
default SslTrustConfig asTrustConfig();
}PEM Key Configuration
Key configuration that reads from PEM formatted certificate and private key files.
/**
* SSL key configuration using PEM formatted certificate and key files
*/
public final class PemKeyConfig implements SslKeyConfig {
/**
* Creates a PEM-based key configuration
* @param certificatePath path to PEM certificate file (relative to configBasePath)
* @param keyPath path to PEM private key file (relative to configBasePath)
* @param keyPassword password for encrypted private key (null if unencrypted)
* @param configBasePath base path for resolving relative paths
*/
public PemKeyConfig(String certificatePath, String keyPath, char[] keyPassword, Path configBasePath);
/**
* Checks if this configuration contains key material
* @return true if both certificate and key files are configured
*/
public boolean hasKeyMaterial();
/**
* Gets dependent certificate and key file paths
* @return collection containing certificate and key file paths
*/
public Collection<Path> getDependentFiles();
/**
* Gets configured certificates with metadata
* @return collection of certificates from the PEM file
*/
public Collection<StoredCertificate> getConfiguredCertificates();
/**
* Creates X509ExtendedKeyManager from PEM files
* @return configured key manager
* @throws SslConfigException if PEM parsing or key manager creation fails
*/
public X509ExtendedKeyManager createKeyManager();
/**
* Gets private keys and certificates from PEM files
* @return list of private key and certificate pairs
*/
public List<Tuple<PrivateKey, X509Certificate>> getKeys();
/**
* Converts to trust configuration using the certificates
* @return PemTrustConfig using this configuration's certificates
*/
public SslTrustConfig asTrustConfig();
@Override
public String toString();
@Override
public boolean equals(Object o);
@Override
public int hashCode();
}Usage Examples:
import org.elasticsearch.common.ssl.PemKeyConfig;
import javax.net.ssl.X509ExtendedKeyManager;
import java.nio.file.Path;
import java.nio.file.Paths;
// Create PEM key configuration with unencrypted key
PemKeyConfig keyConfig = new PemKeyConfig(
"server.crt", // certificate file
"server.key", // private key file
null, // no password (unencrypted key)
Paths.get("/etc/ssl") // base path
);
// Create PEM key configuration with encrypted key
PemKeyConfig encryptedKeyConfig = new PemKeyConfig(
"certs/server.pem", // certificate file
"private/server.key", // private key file
"secret123".toCharArray(), // key password
Paths.get("/config") // base path
);
// Create key manager
X509ExtendedKeyManager keyManager = keyConfig.createKeyManager();
// Check for key material
if (keyConfig.hasKeyMaterial()) {
// Get dependent files for monitoring
Collection<Path> files = keyConfig.getDependentFiles();
// Get certificates with metadata
Collection<StoredCertificate> certificates = keyConfig.getConfiguredCertificates();
// Convert to trust configuration
SslTrustConfig trustConfig = keyConfig.asTrustConfig();
}Store Key Configuration
Key configuration that builds key managers from keystore files (JKS, PKCS12, etc.) with optional filtering.
/**
* SSL key configuration using keystore files
*/
public class StoreKeyConfig implements SslKeyConfig {
/**
* Creates a keystore-based key configuration
* @param path path to keystore file (relative to configBasePath)
* @param storePassword password for keystore access
* @param type keystore type (JKS, PKCS12, etc.) or null to infer from file extension
* @param filter optional function to filter keystore entries
* @param keyPassword password for private key extraction (may differ from store password)
* @param algorithm key manager algorithm (e.g., "SunX509", "PKIX")
* @param configBasePath base path for resolving relative paths
*/
public StoreKeyConfig(String path, char[] storePassword, String type,
@Nullable Function<KeyStore, KeyStore> filter, char[] keyPassword,
String algorithm, Path configBasePath);
/**
* Converts to trust configuration using keystore certificates
* @return StoreTrustConfig using this keystore for trust
*/
public SslTrustConfig asTrustConfig();
/**
* Gets dependent keystore file paths
* @return collection containing keystore file path
*/
public Collection<Path> getDependentFiles();
/**
* Checks if keystore contains key material
* @return true if keystore has private key entries
*/
public boolean hasKeyMaterial();
/**
* Gets private keys and certificates from keystore
* @return list of private key and certificate pairs
* @throws GeneralSecurityException if keystore access fails
*/
public List<Tuple<PrivateKey, X509Certificate>> getKeys() throws GeneralSecurityException;
/**
* Gets private keys and certificates with optional filtering
* @param filterKeystore whether to apply the configured filter
* @return list of private key and certificate pairs
* @throws GeneralSecurityException if keystore access fails
*/
public List<Tuple<PrivateKey, X509Certificate>> getKeys(boolean filterKeystore) throws GeneralSecurityException;
/**
* Gets configured certificates with metadata
* @return collection of certificates from keystore
*/
public Collection<StoredCertificate> getConfiguredCertificates();
/**
* Creates X509ExtendedKeyManager from keystore
* @return configured key manager
* @throws GeneralSecurityException if key manager creation fails
*/
public X509ExtendedKeyManager createKeyManager() throws GeneralSecurityException;
@Override
public String toString();
@Override
public boolean equals(Object o);
@Override
public int hashCode();
}Usage Examples:
import org.elasticsearch.common.ssl.StoreKeyConfig;
import java.security.KeyStore;
import java.util.function.Function;
import java.nio.file.Paths;
// Simple keystore configuration
StoreKeyConfig keystoreConfig = new StoreKeyConfig(
"keystore.p12", // keystore file
"storepass".toCharArray(), // keystore password
"PKCS12", // keystore type
null, // no filtering
"keypass".toCharArray(), // private key password
"PKIX", // key manager algorithm
Paths.get("/etc/ssl") // base path
);
// Keystore configuration with filtering (only include specific aliases)
Function<KeyStore, KeyStore> filter = keystore -> {
// Custom logic to filter keystore entries
return KeyStoreUtil.filter(keystore, entry ->
entry.getAlias().startsWith("server-"));
};
StoreKeyConfig filteredConfig = new StoreKeyConfig(
"combined.jks", // keystore file
"password".toCharArray(), // keystore password
null, // infer type from extension
filter, // apply custom filter
"keypass".toCharArray(), // private key password
"SunX509", // key manager algorithm
Paths.get("/config/ssl") // base path
);
// Use the configuration
X509ExtendedKeyManager keyManager = keystoreConfig.createKeyManager();
// Get specific keys and certificates
List<Tuple<PrivateKey, X509Certificate>> keys = keystoreConfig.getKeys();
// Convert to trust configuration
SslTrustConfig trustConfig = keystoreConfig.asTrustConfig();Empty Key Configuration
Singleton key configuration that provides no key material (null key manager).
/**
* SSL key configuration that provides no key material
*/
public final class EmptyKeyConfig implements SslKeyConfig {
/**
* Singleton instance for empty key configuration
*/
public static final EmptyKeyConfig INSTANCE;
/**
* Gets empty collection (no dependent files)
* @return empty collection
*/
public Collection<Path> getDependentFiles();
/**
* Gets empty list (no keys)
* @return empty list
*/
public List<Tuple<PrivateKey, X509Certificate>> getKeys();
/**
* Gets empty collection (no certificates)
* @return empty collection
*/
public Collection<StoredCertificate> getConfiguredCertificates();
/**
* Always returns false (no key material)
* @return false
*/
public boolean hasKeyMaterial();
/**
* Creates a null key manager (no client authentication)
* @return null (no key manager)
*/
public X509ExtendedKeyManager createKeyManager();
@Override
public String toString();
}Usage Examples:
import org.elasticsearch.common.ssl.EmptyKeyConfig;
// Use empty key configuration (no client certificates)
SslKeyConfig keyConfig = EmptyKeyConfig.INSTANCE;
// Check for key material
boolean hasKeys = keyConfig.hasKeyMaterial(); // always false
// Create key manager (returns null)
X509ExtendedKeyManager keyManager = keyConfig.createKeyManager(); // null
// Use in SSL configuration for server-only SSL (no client auth)
SslConfiguration config = new SslConfiguration(
"https",
true,
trustConfig, // some trust configuration
EmptyKeyConfig.INSTANCE, // no client key material
SslVerificationMode.FULL,
SslClientAuthenticationMode.NONE,
List.of(),
List.of("TLSv1.3")
);Key Configuration Patterns
Certificate Chain Handling
When working with certificate chains, the library automatically handles intermediate certificates:
// PEM files can contain certificate chains
// cert.pem:
// -----BEGIN CERTIFICATE-----
// (end entity certificate)
// -----END CERTIFICATE-----
// -----BEGIN CERTIFICATE-----
// (intermediate CA certificate)
// -----END CERTIFICATE-----
PemKeyConfig keyConfig = new PemKeyConfig("cert.pem", "key.pem", null, basePath);
List<Tuple<PrivateKey, X509Certificate>> keys = keyConfig.getKeys();
// Only returns the end entity certificate, but chain is preserved in key managerKeystore Type Detection
The library can automatically detect keystore types based on file extensions:
// These will automatically detect the correct keystore type:
new StoreKeyConfig("keystore.jks", password, null, null, keyPassword, algorithm, basePath); // JKS
new StoreKeyConfig("keystore.p12", password, null, null, keyPassword, algorithm, basePath); // PKCS12
new StoreKeyConfig("keystore.pfx", password, null, null, keyPassword, algorithm, basePath); // PKCS12
// Or explicitly specify the type:
new StoreKeyConfig("keystore.store", password, "JKS", null, keyPassword, algorithm, basePath);Key Password Handling
Different scenarios for key password management:
// Same password for keystore and private keys
char[] password = "secret".toCharArray();
new StoreKeyConfig(path, password, type, null, password, algorithm, basePath);
// Different passwords
char[] storePassword = "storepass".toCharArray();
char[] keyPassword = "keypass".toCharArray();
new StoreKeyConfig(path, storePassword, type, null, keyPassword, algorithm, basePath);
// Encrypted PEM key
char[] pemKeyPassword = "pempass".toCharArray();
new PemKeyConfig(certPath, keyPath, pemKeyPassword, basePath);
// Unencrypted PEM key
new PemKeyConfig(certPath, keyPath, null, basePath);Install with Tessl CLI
npx tessl i tessl/maven-org-elasticsearch--elasticsearch-ssl-config